ID token having a protected microcontroller

ABSTRACT

An ID token includes a sensor, a communication interface, and a first microcontroller. The ID token includes a protected second microcontroller having at least one microcontroller communication interface, which is arranged in a holder of the ID token, wherein the microcontroller communication interface provides a data input and a data output. The first microcontroller is configured as a proxy for switching between the sensing of the measurement data by the sensor and forwarding of the sensed measurement data from the sensor to the first application of the protected second microcontroller by the microcontroller communication interface thereof on the one hand and forwarding of notifications for establishing a connection between the second application and the reading device and/or forwarding of APDUs by the connection between the second application and the reading device on the other hand.

The invention relates to an ID token, comprising a sensor, acommunication interface, and a first microcontroller, wherein the IDtoken comprises a protected second microcontroller having at least onemicrocontroller communication interface, which is arranged in a holderof the ID token, wherein the microcontroller communication interfaceprovides a data input and a data output. The invention additionallyrelates to a method for checking measurement data of the sensor of an IDtoken according to the invention, and a system which comprises an IDtoken according to the invention of this kind and a reading devicehaving a communication interface for data exchange with thecommunication interface of the ID token.

ID tokens for identifying or authenticating an owner of thecorresponding ID token are known from the prior art, for example in theform of documents, such as personal identification documents andpassports, but also access cards, which are intended for example toallow a certain person access to a secure area, or signature cards, withwhich an electronic document can be signed.

In the case of an automated, electronic checking of ID tokens of thiskind, there is the problem in the prior art that the correspondingdocuments might not necessarily be able to be used only by the personfor whom the ID tokens were provided. From the viewpoint of anelectronic system with which the ID token is used for identification orauthentication, the identity of the user is defined solely from the usedID token. For example, any other person can use a found ID token, suchas an access card, in order to gain access to a locked area.

A solution to this problem is offered for example by an additionalauthentication process, in which an additional security attribute, forexample a PIN or a biometric feature is requested from the user of theID token and is not proven simply by the possession of the ID token. Forexample, in this case the user of the ID token is requested to input acorresponding additional security attribute at a terminal or anotherexternal device.

A further problem in the prior art is constituted by possible attemptsof manipulation of the ID token. An unauthorised individual, by means ofcorresponding manipulations of the ID token, can thus attempt to gainaccess to the attributes for identification or authentication stored onthe ID token. In particular, there is the risk that the ID token will bemanipulated in such a way that it confirms the presence of an additionalsecurity attribute of the above-described type, although this is notactually the case.

An exemplary scenario for this would be an unauthorised third party whoreplaces an additional security attribute of the authorised user of theID token stored on the ID token, for example a PIN or a biometricfeature, with a security attribute selected by the unauthorised thirdparty, for example a new PIN or a biometric feature of an unauthoriseduser. In spite of the additional security attribute, there is thus stilla risk of misuse.

In order to increase the security of an ID token to manipulationattempts of this kind, the use of a protected microcontroller on the IDtoken and/or of an encryption of the communication of the ID token withexternal devices, such as reading devices, is recommended, for example.For protection against unauthorised access, protected microcontrollershave limited physical access possibilities. Particularly securemicrocontrollers are thus known, which for example have precisely onecommunication interface for contact-based communication with externalelements, wherein the communication interface provides precisely onedata input and one data output.

Due to the limited communication possibilities of a protectedmicrocontroller of the above-described kind, however, saidmicrocontroller on the one hand cannot be used to exchange data with areading device, and on the other hand cannot be used to check anadditional security attribute, for example a PIN or a biometric feature,by means of a corresponding sensor.

The possibilities that remain are either to use an ID token effectivelysecured against manipulation, wherein the identity of the actual user ofthe ID token is unknown, or to use an ID token supposedly protecting theidentity of the actual user by means of an additional securityattribute, wherein, however, the ID token remains susceptible tomanipulation. Neither of these two possibilities can effectively preventmisuse in the form of unlawful use.

Furthermore, an input of the additional features, such as a biometricfeature or a PIN, at the terminal or another external device is at therisk of a possible skimming attack. The user cannot detect from outsidewhether the input device has been subject to manipulations by means ofwhich an attacker can record/intercept the additional features.

The object of the present invention is to prevent the problem describedat the outset of unlawful use of an ID token.

This object is achieved by the features of the independent claims.Embodiments of the invention are described in the dependent claims.Unless expressly stated otherwise, embodiments of the invention can befreely combined with one another.

An “ID token” is understood here in particular to mean a portableelectronic device which comprises at least one protected electronic datamemory for storing attributes and a communication interface for readingthe attributes. The memory area is protected in order to prevent theattributes stored in the memory area from being changed withoutpermission or read without the authorisation necessary for this purpose.In other words, the memory area can only be accessed when the accessauthorisation necessary for this is given.

In particular, the ID token can be a USB stick or a document, inparticular a document of value or security document, for example in theform of a chip card. In accordance with the invention, a “document” isunderstood to mean paper-based and/or plastic-based documents, forexample electronic identification documents, in particular passports,personal identification cards, visas and drivers licenses, vehicleregistration documents, vehicle titles, company identificationdocuments, health insurance cards or other ID documents, and also chipcards, in particular an access card or signature card, payment means, inparticular banknotes, bank cards and credit cards, waybills or otherproofs of authorisation, in which there is integrated a data memory forstoring at least one attribute.

The ID token can be a hardware token or a soft token, if boundcryptographically to a hardware token, that is to say for example towhat is known as a secure element. In particular, a soft token of thiskind bound cryptographically to a secure element can be produced inaccordance with DE 10 2011 082 101.

An “attribute” is understood generally to mean a data value, for examplea number or a text. The attribute can be a piece of information withregard to the identity of a user to whom the ID token is assigned, inparticular with regard to what is known as the digital identity of saiduser. For example, the surname, first name, or address of the user canconstitute attributes. An “attribute” here in particular is understoodto mean data relating to the user of the ID token or the ID tokenitself, in particular personalisation data, such as personal data of theuser, a period of validity, or the issuer of the ID token or a piece ofpayment information, such as credit card data or other data for anelectronic payment system. An attribute can also include data used tocheck the authorisation of the user to utilise a specific onlineservice, for example the age of the user if the user wishes to use anonline service reserved for a specific age group, or another attributedocumenting the affiliation of the user to a specific group authorisedfor use of the online service. An “attribute” can also denote a datavalue which comprises authorisation to access an access-restrictedsecurity system. In this regard, the attribute can also specify theaffiliation to a certain group, wherein the access to theaccess-restricted security system is dependent on the affiliation tosaid group.

A “reading device” is understood here to mean an electronic device whichenables read access and also write access to the ID token, in particulara terminal, for example in the form of what is known as a chip cardterminal. The reading device can form an integral part of a usercomputer system or can be formed as a separate component, for example asa peripheral device of the user computer system. In particular, thereading device can be what is known as a class 1, 2 or 3 chip cardreading device. The reading device can be equipped with a contactlessand/or contact-based interface for data exchange with an ID token.

A “microcontroller” or system-on-a-chip (SoC) is understood here to meana semi-conductor chip which comprises at least a processor, acommunication interface and a memory.

A “protected microcontroller” denotes a microcontroller havingphysically limited access possibilities. In particular, what isunderstood here by a protected microcontroller is a microcontrollerhaving precisely one communication interface for contact-basedcommunication with external elements, wherein the communicationinterface provides precisely one data input and one data output. Aprotected microcontroller may additionally have additional measuresagainst misuse, in particular against unauthorised access to data in thememory of the microcontroller. For example, a protected microcontrollercomprises sensors for monitoring the state of the microcontroller andsurroundings thereof so as to identify deviations from normal operation,which can indicate manipulation attempts. Corresponding sensor types forexample comprise a clock frequency sensor, a temperature sensor, avoltage sensor and/or a light sensor. Clock frequency sensors,temperature sensors and voltage sensors for example sense deviationsfrom the clock frequency, temperature and/or voltage above or below apredefined normal range. In addition, a protected microcontroller cancomprise a non-volatile electronic memory with a protected memory area.

Furthermore, a protected microcontroller can comprise means forcryptographic data protection, for example a random number generator, agenerator for cryptographic keys, a hash generator, anencryption/decryption module, a signature module, certificates, and/orone or more non-migratable cryptographic keys, for example what is knownas an Endorsement Key, Storage Root Key and/or Attestation IdentityKeys.

A “non-volatile electronic memory” is understood here to mean a memoryfor storing data, in particular attributes, which is also referred to asa non-volatile memory (NVM). In particular, the memory in this case canbe an EEPROM, for example a flash EEPROM, referred to as a flash forshort.

A “protected memory area” is understood here to mean an area of anelectronic memory to which access, that is to say read access or writeaccess, by a processor coupled to the memory is made possible only whena condition necessary for this is satisfied. For example, this can be acryptographic condition, in particular a successful authenticationand/or a successful authorisation check. The memory can be configuredsuch that access to the protected memory area is possible only via thecoupled processor. In particular, a “protected memory area” of an IDtoken is understood to mean an electronic memory in which data arestored, for example an attribute and/or a data structure, which can beread from the electronic memory by a reading device, deleted or modifiedonly when the reading device has authenticated itself to the ID tokenand/or has proven to the ID token its authority to read, delete and/orwrite the data in question, for example with the aid of anauthentication certificate in which such rights of the reading deviceare specified. For example, the electronic memory can be an EEPROM, inparticular a flash EEPROM.

A “processor” is understood here to mean a logic circuit used to executeprogram instructions. The logic circuit can be implemented on one ormore discrete components, in particular on a chip.

A “communication interface” is understood here to mean an interface viawhich data can be received and sent, wherein the communication interfacecan be configured in a contact-based manner or contactlessly, forexample in accordance with an RFID and/or NFC standard.

An “application” is understood here, without limitation, to mean anytype of computer program which comprises machine-readable instructionsfor controlling a functionality of the ID token.

A “proxy” is understood here to mean a switching element which isconfigured to produce a data connection between a receiver and atransmitter of data and to switch over to one or more other dataconnections which connect the same receiver or transmitter to anothertransmitter or receiver.

A “sensor” is understood here to mean an element for sensing measurementdata. Measurement data are data that qualitatively or quantitativelyexpress physical or chemical properties of a measurement object, forexample a quantity of heat, temperature, moisture, pressure, sound fieldparameters, brightness, acceleration, pH value, ion strength,electrochemical potential and/or material characteristics thereof.Measurement data are sensed by means of physical or chemical effects andare converted into an electronically processible electrical signal. Inaddition, sensors in particular also comprise elements for sensing aninput of information, for example a keyboard, keypad, mouse, touchscreenand/or elements for sensing gestures.

An “encrypted end-to-end connection” is understood here to mean aconnection between a transmitter and a receiver with end-to-endencryption, in which data to be transmitted are encrypted by thetransmitter and are only decrypted again by the receiver. Transmitteddata are thus encrypted across all transmission stations, such thatintermediate stations do not have any knowledge of the content of thetransmitted data, on account of the encryption. The connection iscryptographically secured by the encryption so as to prevent exposureand/or manipulation of the transmission, wherein what is known as aSecure-Messaging method can be used for this purpose. A method forestablishing an encrypted end-to-end connection of this kind between anID token and a reading device is described for example in German patentapplication 10 2015 202 308.7.

A “certificate” is understood here to mean a digital certificate, whichis also referred to as a Public Key certificate. A certificateconstitutes structured data used to assign a public key of an asymmetriccryptosystem to an identity, for example a person or a device.Alternatively, certificates based on zero-knowledge crypto systems arealso possible. For example, the certificate can correspond to standardX.509 or another standard. For example, the certificate is a CardVerifiable Certificate (CVC).

The attribute or attributes of the user, stored in the protected memoryarea of the ID token, for which a reading device is authorised toperform read access can be specified in the certificate. Furthermore,the respective write permissions for attribute specifications orattributes can also be defined in a certificate. A certificate of thiskind is also referred to as an authorisation certificate. Furthermore, acertificate can specify whether an authentication with the on-chipsensors may be initiated by the terminal.

An “Application Protocol Data Unit” (APDU) is a communication unit of acommunication between a chip card and a chip card application accordingto the ISO 7816 standard. An APDU is a communication unit at applicationlevel corresponding to layer 7 in the OSI layer model. A distinction canbe made between command APDUs and response APDUs. Command APDUs transmitcommands to the chip card, whereas the response APDUs transmit the chipcard responses to corresponding commands. The structures of command APDUand response APDU are defined in the standard ISO 7816-4. A command APDUconsists of a header comprising header data and an optional bodycomprising user data, the response data of the command, and anobligatory trailer. The trailer provides information regarding thesuccessful processing of the command or the type of error preventing orinterrupting said processing.

In the case of encrypted APDUs, the user data are in each caseencrypted, whereas the header data remain unencrypted, so as to ensure acorrect assignment and processing of the APDUs.

Communication based on a master/slave relationship between two or moresubscribers is understood here to mean a data exchange in whichprecisely one subscriber takes on the role of the master and all furthersubscribers take on the role of slaves. The communication is implementedhere with use of a question-response protocol, in which only the masteras sole subscriber has the authorisation to initiate a data transmissionfrom itself, i.e. to send a corresponding query to one of the slaves,whereas the slaves can merely reply with responses, but do not have thepossibility to themselves actively intervene in the communication orinitiate such communication.

A “logical channel” is understood to mean a local connection between twodata end devices or network nodes, wherein a logical channel is realisedby channel addresses in the transmitted data packets. Each channel isassigned a “context”, which defines a state and/or an application of thetarget data end device or the target network node.

In one aspect, the invention relates to an ID token comprising a sensor,a communication interface, and a first microcontroller, wherein the IDtoken comprises a protected second microcontroller having at least onemicrocontroller communication interface, which is arranged in a holderof the ID token, wherein the microcontroller communication interfaceprovides a data input and a data output,

-   -   wherein the sensor is configured to sense measurement data,    -   wherein the first microcontroller, for data exchange with the        microcontroller communication interface of the protected second        microcontroller, is connected to the sensor and to the        communication interface of the ID token, and wherein the first        microcontroller is configured to exchange data with a reading        device via the communication interface of the ID token,    -   wherein the protected second microcontroller comprises a first        and a second application,    -   wherein the first application is configured to compare the        measurement data of the sensor with comparison data stored in a        memory of the second microcontroller and to forward the        comparison result to the second application,    -   wherein the second application is configured to establish a        connection to the reading device and to output specified data by        a read command of the reading device,    -   wherein the first microcontroller is configured as a proxy for        switching between the sensing of the measurement data by the        sensor and forwarding of the sensed measurement data from the        sensor to the first application of the protected second        microcontroller by means of the microcontroller communication        interface thereof on the one hand and forwarding of        notifications for establishing a connection between the second        application and the reading device and/or forwarding of APDUs by        means of the connection between the second application and the        reading device on the other hand.

Embodiments can have the advantage that they offer effective protectionagainst unlawful use of the ID token. On the one hand, an ID tokenaccording to the invention offers the possibility to check the presenceof additional security attributes by means of the sensor and on theother hand allows the use of a protected microcontroller, which forexample is configured to communicate in an encrypted manner with thereading device and at the same time offers a high level of security onaccount of the limited possibility for access. In accordance withembodiments, the memory of the second microcontroller comprises aprotected memory area, in which at least one attribute of the ID tokenis stored. In accordance with embodiments the comparison data are storedin the protected memory area of the memory of the secondmicrocontroller. In accordance with embodiments the ID token comprises aplurality of sensors.

Embodiments can have the advantage that manipulation of the sensor, forexample for a skimming attack, is prevented by the use of a sensorintegrated in the ID token.

The first microcontroller configured as a proxy allows a switchoverbetween a data connection of the protected second microcontroller to oneor more sensors of the ID token and a data connection of the secondmicrocontroller to the reading device. In accordance with embodimentsthe first microcontroller for this purpose has a plurality ofcommunication interfaces which provide a plurality of data inputs anddata outputs.

The sensor offers the possibility to include additional externalsecurity attributes for checking authentication and/or authorisation.These security attributes can concern the identity of the user of the IDtoken, for example in the case of a fingerprint sensor, or knowledge ofthe user, for example a PIN keypad for inputting a PIN known only to theuser, or ambient parameters, as are provided for example by atemperature sensor or a GPS receiver. The memory of the protected secondmicrocontroller comprises comparison data for the measurement data to besensed by the sensors in an application scenario predefined aspermitted. If the sensed measurement data match the comparison data, itis assumed that a permitted application scenario is present. Anapplication scenario of this kind for example is the use of the ID tokenby a person having a specific identity, by a person having specificknowledge, and/or a use of the ID token at a specific location.

The ID token or the two applications of the protected secondmicrocontroller can be configured to communicate the results of thecomparison check with the reading device and/or to transmit requesteddata to the reading device only following a successful comparison check,or to execute received commands only following a successful comparisoncheck.

In accordance with embodiments, the second application is configured toestablish a connection to the reading device in the form of an encryptedend-to-end connection and to output the data specified by a read commandof the reading device via the encrypted end-to-end connection, whereinencrypted APDUs are transmitted via the encrypted end-to-end connection.

Embodiments can have the advantage that the data exchange betweenreading device and ID token, in particular the requesting of one or moreattributes, can be effectively protected against unauthorised access,such as recording or interception attempts. At the same time, theconfiguration of the first microcontroller as a proxy makes it possibleto request measurement data of the sensor by switching over the dataconnections in spite of the encryption of the data transmitted by theencrypted end-to-end connection.

In accordance with embodiments the first microcontroller is configured:

-   -   to receive and temporarily store a first request of the reading        device to establish the connection between the second        application and the reading device,    -   upon receipt of the first request, to send a second request to        sense the measurement data to the sensor,    -   upon receipt of the second request, to receive the sensed        measurement data from the sensor and to forward said data to the        first application,    -   to forward the temporarily stored first request to the second        application.

Embodiments can have the advantage that, in the event of a request of acertain application, for example the first application, measurement datacan be requested by way of precaution from the first microcontroller, sothat said data is available as necessary to the protected secondmicrocontroller and the requested application can refer to said data inspite of limited access possibilities to the second controller and anencrypted data exchange (not discernible from outside) with therequesting reading device. The same is true even in the case ofoperation of the second microcontroller as a slave relative to a firstmicrocontroller operated as master. In accordance with embodiments thefirst request of the reading device to establish the connection is arequest to establish an encrypted end-to-end connection.

In accordance with embodiments the first microcontroller is configured:

-   -   to receive an unencrypted communication sent from the reading        device to the second application during the course of the        establishment of the encrypted end-to-end connection, and to        temporarily store and analyse said communication,    -   if the communication comprises a reference to measurement data        sensed by the sensor, to send a request to sense the measurement        data to the sensor,    -   upon receipt of the request, to receive the sensed measurement        data from the sensor and to forward said data to the first        application,    -   to forward the temporarily stored unencrypted communication to        the second application.

Embodiments can have the advantage that measurement data is requested byway of precaution only when there are indications that these data areactually incorporated in the communication via the encrypted end-to-endconnection to be established.

In accordance with embodiments the unencrypted communication is acertificate which authorises the reading device to check the measurementdata sensed by the sensor by means of the first application.

Embodiments can have the advantage that measurement data are requestedby way of precaution only when a requesting reading device also hasauthorisation to access these measurement data. If this is not the case,the measurement data are not provided, whether requested or not.

In accordance with embodiments the first microcontroller is configuredto receive all communications sent from the reading device to the secondapplication during the course of the establishment of the encryptedend-to-end connection, and to temporarily store and forward saidcommunications, wherein, once the measurement data have been forwarded,all temporarily stored communications are forwarded again to the secondapplication.

Embodiments can have the advantage that, in the event that theestablishing of the connection is interrupted, this can be efficientlyresumed, even if the previously achieved state of establishment has beenlost as a result of the interruption.

In accordance with embodiments the protected second microcontroller isconfigured to provide a plurality of logical channels for data exchangevia the microcontroller communication interface, wherein thecommunication via the encrypted end-to-end connection is performed overa first logical channel of the second microcontroller, and wherein thefirst microcontroller is configured

-   -   to receive and temporarily store an encrypted APDU sent via the        encrypted end-to-end connection from the reading device to the        second application and containing unencrypted header data and        encrypted user data, and to analyse the header data,    -   if the header data comprise a reference to measurement data        sensed by the sensor, to send a request to sense the measurement        data to the sensor,    -   upon receipt of the request, to receive the sensed measurement        data from the sensor and to forward said data to the first        application over a second logical channel of the second        microcontroller,    -   to forward the temporarily stored encrypted APDU to the second        application over the first logical channel.

Embodiments can have the advantage that the measurement data arerequested only when this has actually been queried. In addition, it isensured by the use of two logical channels that the establishedencrypted end-to-end connection is not interrupted, and instead cancontinue over another channel in the event of a switchover, withouthindering the transmission of the measurement data. In addition, theanalysis of the header data makes it possible to maintain theencryption, thus increasing security, however the first microcontrolleris nevertheless able to identify a request of measurement data of thesensor. In accordance with embodiments the data transmission over thefirst logical channel is interrupted during the transmission of themeasurement data over the second logical channel and is continued oncethe measurement data transmission is complete, wherein the first logicalchannel remains in force during the interruption. Here, the switchoveris controlled via the first microcontroller, which for example acts as amaster, whereas the protected second microcontroller takes on the roleof a slave.

In accordance with embodiments the at least one microcontrollercommunication interface of the protected second microcontroller is acontact-based communication interface.

Embodiments can have the advantage that an interception and/or recordingof transmitted data is made difficult, thus increasing security.

In accordance with embodiments the protected second microcontrollercomprises precisely one microcontroller communication interface.

Embodiments can have the advantage that the physical accesspossibilities to the protected second microcontroller can be efficientlyminimised, thus increasing security.

In accordance with embodiments the first microcontroller is configuredto exchange data contactlessly with a reading device via thecommunication interface of the ID token.

Embodiments can have the advantage that the use of the ID token issimplified and does not first have to be brought into contact with thereading device. In particular, the process of checking the ID token canthus be accelerated, since the step of bringing into contact is spared.In addition, this allows the ID token to be kept without restrictions,such that one of the sensors is designed optimally to sense themeasurement data. For example, the ID token can be held such that afingerprint sensor of the ID token can be easily reached by the fingersof the user. In the case of a contact-based connection, thepossibilities for positioning of the ID token are by contrast limited bythe required contact.

In accordance with embodiments the first microcontroller is configuredto exchange data with a reading device in a contact-based manner via thecommunication interface of the ID token.

Embodiments can have the advantage that an interception and/or recordingof transmitted data is made difficult, thus increasing security.

In accordance with embodiments the second application comprises thefirst application.

Embodiments can have the advantage that the functionality of the firstand second application on the protected second microcontroller arecombined or integrated in a common application. In this case, the secondapplication natively comprises the functionality of the firstapplication, or vice versa, whereby there is no need for separateimplementation of this functionality in a separate, independentapplication.

In accordance with embodiments the first and second application areseparate, independent applications. Embodiments can have the advantagethat all applications wishing to request the further features forwardthis request to a central application, i.e. the first application, andtherefore only this one central application also takes on the tasks ofmanagement and checking.

In accordance with embodiments the measurement data are constituted byone or more biometric features, a PIN, acceleration data, GPScoordinates and/or temperature data.

Embodiments can have the advantage that the voice or identity of theactual user of the ID token, can be checked by biometric features, suchas fingerprints or a frequency pattern. A PIN checks whether the userhas the necessary knowledge for lawful use of the ID token. Accelerationdata can be used for example in order to identify the user on the basisof movement patterns. The location of use of the ID token can bedetermined via the GPS coordinates. Ambient conditions can be checked bymeans of the temperature, for example in order to determine the actuallocation of use of the ID token. In addition, in combination with afingerprint sensor it is possible for example to test whether a fingeris actually arranged on the sensor at the time of sensing of themeasurement data.

In accordance with embodiments the ID token comprises a plurality ofdifferent sensors for sensing a plurality of different items ofmeasurement data, to which the first microcontroller is connected fordata exchange, wherein the first application is configured to comparethe measurement data of each sensor with comparison data stored in amemory of the second microcontroller and to forward the comparisonresults to the second application.

Embodiments can have the advantage that a complex use scenario can bedefined, in which use of the ID token is permitted. In order to confirman identity and/or authorisation by means of the ID token, a pluralityof different items of measurement data sensed by means of differentsensors for example must be correct, i.e. must match predefinedcomparison data. In addition, graded security levels can be defined. Forsimple access to a building and/or computer system, the knowledge of aPIN can be sufficient, and for a legally binding digital signature thisknowledge may be necessary in conjunction with a confirmation of theidentity of the user via one or more biometric features.

In accordance with embodiments the first microcontroller is configuredas a master and the protected second microcontroller is configured as aslave.

Embodiments can have the advantage that they increase the security sincethe security-sensitive second microcontroller cannot actively intervenein the communication. The second microcontroller therefore cannot bemanipulated to transmit invalid data.

In accordance with embodiments the second microcontroller is physicallyprotected by one or more of the following elements: a clock frequencysensor, a temperature sensor, a voltage sensor, and/or a light sensor.

Embodiments can have the advantage that these sensors offer an effectivepossibility for monitoring the state of the second microcontroller andsurroundings thereof, and thus make it possible to identify physicalmanipulation attempts in good time.

In accordance with embodiments the second microcontroller iscryptographically protected by one or more of the following elements: arandom number generator, a generator for cryptographic keys, a hashgenerator, an encryption/decryption module, a signature module, one ormore certificates and/or one or more non-migratable cryptographic keys.

Embodiments can have the advantage that both the data storage and thedata transmission by means of the second microcontroller satisfy highcryptographic security requirements.

In accordance with embodiments the microcontroller communicationinterface of the protected second microcontroller is hard-wired to thefirst microcontroller.

Embodiments can have the advantage that a removal of the protectedsecond microcontroller from the ID token for the purposes ofmanipulation is made difficult. In particular, the wiring can be suchthat removal without destruction, with the microcontroller communicationinterface remaining functional, is prevented.

In accordance with embodiments the protected second microcontroller isconfigured as an exchangeable module and the holder of the ID token isconfigured as a plug-in connection for the module, wherein themicrocontroller communication interface of the protected secondmicrocontroller is releasably contacted with the first microcontroller.

Embodiments can have the advantage that the ID token can be used as aplatform for use with different protected second microcontrollers. Thisincreases in particular the compatibility with developments of theprotected microcontroller and additionally allows standardised massproduction.

In accordance with embodiments the ID token has an output device towhich the first microcontroller is connected for data exchange.

Embodiments can have the advantage that they simplify operation of theID token and provide instructions for use of the sensors and informationregarding the state of use of the ID token. This is advantageous inparticular in the case of a plurality of sensors. Corresponding outputdevices can be a display or LEDs, for example. In particular, the sensorcan also be integrated in an output device, for example atouch-sensitive display.

In a further aspect the invention relates to a system which comprises anID token according to any one of the preceding claims and a readingdevice having a communication interface for data exchange with thecommunication interface of the ID token, wherein the reader isconfigured to establish a connection to the second application of theprotected second microcontroller and to send APDUs to the secondapplication and/or to receive APDUs from the second application via theestablished connection.

Embodiments can have the advantage that a system for efficiently andsecurely checking access authorisation, for securely processing paymentsand/or for securely digitally signing electronic documents is provided.To this end, the reading device is for example part of an access controldevice, a terminal and/or a user computer system.

In a further aspect the invention relates to a method for checkingmeasurement data of the sensor of an ID token according to any one ofthe device claims by means of the protected second microcontroller,wherein the method comprises

-   -   transmitting a request to establish a connection between the        reading device and the second application of the protected        second microcontroller:        -   receiving the request by the first microcontroller via the            communication interface of the ID token,        -   forwarding the request by the first microcontroller to the            second application of the protected second microcontroller            via the microcontroller communication interface of the            protected second microcontroller,    -   establishing the connection between the reading device and the        second application:        -   exchanging communications in order to establish the            connection between the reading device and the second            application via the communication interface of the ID token,            the first microcontroller, and the microcontroller            communication interface of the protected second            microcontroller,    -   exchanging APDUs via the connection between the reading device        and the second application:        -   receiving a command APDU by the first microcontroller via            the communication interface of the ID token, wherein the            command APDU requests the comparison results of the            comparison, performed by the first application, of            measurement data sensed by the sensor with comparison data,        -   forwarding the command APDU by the first microcontroller to            the second application via the microcontroller communication            interface of the protected second microcontroller,        -   creating a response APDU to the received command APDU by the            second application with use of the comparison result            received from the first application,        -   receiving the response APDU by the first microcontroller,        -   forwarding the response APDU by the first microcontroller to            the reading device via the communication interface of the ID            token,    -   providing the comparison result for the detected measurement        data:        -   sending a request to sense the measurement data to the            sensor by the first microcontroller,        -   sensing the measurement data by the sensor,        -   receiving the sensed measurement data by the first            microcontroller,        -   forwarding the sensed measurement data by the first            microcontroller to the first application via the            microcontroller communication interface of the protected            second microcontroller,        -   receiving the sensed measurement data by the first            application and comparing said data with the stored            comparison data,        -   forwarding the comparison result to the second application.

Embodiments can have the advantage that they provide a method forchecking measurement data of the sensor of an ID token, which method atthe same time offers effective protection against unlawful use of the IDtoken.

In accordance with embodiments the connection established between thereading device and the second application is an encrypted end-to-endconnection, wherein encrypted APDUs in the form of encrypted commandAPDUs and encrypted response APDUs are exchanged via the encryptedend-to-end connection.

Embodiments can have the advantage that they provide a data transmissionsecured against interception and/or recording. In accordance withembodiments, unencrypted communications are exchanged between thereading device and the second application via the communicationinterface of the ID token in order to establish the encrypted end-to-endconnection.

In accordance with embodiments the request to establish the connectionbetween the reading device and the second application of the protectedsecond microcontroller is temporarily stored by the firstmicrocontroller, wherein the comparison result for the sensedmeasurement data is provided upon receipt of the request and thetemporarily stored request is forwarded to the second application oncethe sensed measurement data have been forwarded by the firstmicrocontroller.

Embodiments can have the advantage that measurement data are provided byway of precaution, such that the protected second microcontroller canhave said data available or can access said data as required.

In accordance with embodiments, unencrypted communications to establishthe connection received from the reading device are temporarily storedby the first microcontroller, wherein the first microcontroller analysesthe temporarily stored unencrypted communications, interrupts theforwarding of the corresponding communication if reference tomeasurement data sensed by the sensor is detected in an unencryptedcommunication, and causes the comparison result for the sensitivemeasurement data to be provided, wherein temporarily storedcommunications already forwarded are forwarded again to the secondapplication once the sensed measurement data have been forwarded by thefirst microcontroller, and the interrupted forwarding is continued.

Embodiments can have the advantage that measurement data are provided byway of precaution only when it is foreseeable that said data will alsoactually be required with a certain level of likelihood. For example,the analysed communication is a certificate of the reading device, andthe measurement data are provided only when the reading device also hasthe necessary authorisation to access these measurement data.

In accordance with embodiments encrypted APDUs are sent and received bythe protected second microcontroller over a first logical channel,wherein the first microcontroller analyses the command APDUs received inthe form of unencrypted header data, interrupts the forwarding of thecorresponding command APDU in the event that a reference to measurementdata sensed by the sensor is detected in the unencrypted header data ofan encrypted command APDU and causes the comparison result for thesensed measurement data to be provided, wherein the sensed measurementdata are forwarded to the first application over a second logicalchannel, wherein the interrupted forwarding over the first logicalchannel is continued once the sensed measurement data have beenforwarded by the first microcontroller over the second logical channel.

Embodiments can have the advantage that measurement data is providedonly as required. An efficient provision in spite of the encryption ofthe APDUs and limited access possibilities to the protected secondmicrocontroller is made possible.

In accordance with embodiments a context of the protected secondmicrocontroller is assigned to each of the logical channels, and thesecond microcontroller is configured to switch between the individualcontexts depending on the logical channel over which the communicationwith the first microcontroller occurs.

Embodiments of the invention can have the advantage that the encryptedend-to-end connection between the reading device and the secondapplication can be maintained whilst the measurement data are requested,transmitted and compared.

Preferred embodiments of the invention will be explained in greaterdetail hereinafter with reference to the drawings, in which:

FIG. 1 shows a schematic block diagram of an exemplary ID tokenaccording to the present invention,

FIG. 2 shows a flow diagram for a first exemplary method for operatingan ID token according to the invention,

FIG. 3 shows a flow diagram for a second exemplary method for operatingan ID token according to the invention, and

FIG. 4 shows a flow diagram for a third exemplary method for operatingan ID token according to the invention.

Hereinafter, similar elements will be denoted by like reference signs.

FIG. 1 shows a schematic block diagram of an exemplary ID token 10according to the invention in combination with a reading device 20,which together form a system 100 according to the invention.

The ID token 10 comprises a first and a second microcontroller 40, 50.The first microcontroller 40 is configured to communicate, i.e. exchangedata, contactlessly with the reading device 20 by means of an antennamodule 30, which comprises an antenna. To this end, the reading device20 is provided with an antenna 22. The first microcontroller 40comprises a processor 42 and a memory 44. The memory 44 comprisesmachine-readable instructions, which, when executed by the processor 42,prompt the first microcontroller 40 to control the communication of theprotected second microcontroller 50 with the reading device 20 and thesensors 70, 72 and the output devices 80, 82. The ID token 10 alsocomprises the aforementioned sensors 70, 72, which for example are afingerprint sensor 70 and a PIN keypad 72. In accordance withembodiments the sensors can also be other known types of sensors, forexample a microphone, a gyroscope, an acceleration sensor, a GPSreceiver and/or a thermometer. In accordance with embodiments, however,these sensors can also be provided additionally to the two sensors 70,72. In addition, the ID token 10 comprises output devices, for example adisplay 80 and LEDs 82. The display 80 for example can be controlled bythe first microcontroller 40 in such a way that it requests the user ofthe ID token 10 to place one or more fingers on the fingerprint sensor70 or to input a PIN via the PIN keypad 72. The LEDs 82 make it possibleto signal to the user that the sensors 70 and/or 72 are ready for useand/or that a fingerprint has been fully captured or a PIN has beenfully input and/or that an error has occurred. This can be indicated forexample by means of different colours in which the LEDs 82 light up. Inaccordance with embodiments the ID token 10 and in particular the LEDs82 can also be configured to show when the results of the datacomparison performed by the first application 56 of the protected secondmicrocontroller 50 is positive.

The ID token 10 also comprises a holder 60 for a second microcontroller,in which a protected second microcontroller 50 is arranged. The secondmicrocontroller 50 is on the one hand protected in that it has only asingle contact-based microcontroller communication interface 59 forcommunicating or exchanging data with external elements, i.e. the firstmicrocontroller 40, wherein the microcontroller communication interface59 has precisely one data input and one data output. On the other hand,the second microcontroller 50 can be physically and cryptographicallyprotected. For example, the microcontroller 50 in accordance withembodiments comprises a clock frequency sensor, a temperature sensor, avoltage sensor, and/or a light sensor. The microcontroller 50, in orderto provide cryptographic security, in accordance with embodiments forexample also comprises a random number generator, a generator forcryptographic keys, a hash generator, an encryption/decryption module, asignature module, one or more certificates and/or one or morenon-migratable cryptographic keys. In addition, the protected secondmicrocontroller 50 comprises a processor 52 and a memory 54 with a firstand a second application 56, 58. In addition, the memory 54 comprisesthe comparison data (not shown) for the measurement data of the sensors70, 72. The comparison data for example can be constituted byfingerprints or characteristic feature specifications of fingerprints ofone or more users assigned to the ID token 10. Furthermore, thecomparison values may comprise one or more PINs. The PINs in accordancewith embodiments can be stored as ciphers on the memory 54, such that itis necessary either to also cipher the sensed measurement data forcomparison with the ciphers or to decipher the stored ciphers. Inaccordance with embodiments the memory 54 can be a protected memory. Forexample, the memory 54 can be accessed only when access authorisationnecessary for this is given. In addition, in accordance withembodiments, the memory 54 can be accessed only via the processor 52.

The first application 56 comprises machine-readable instructions whichprompt the second microcontroller 50, when they are executed by theprocessor 52, to compare the sensed measurement data of the sensors 70,72, which data were forwarded from the first microcontroller 40 to thefirst application 56, with the comparison values stored in the memory54. The comparison results are transmitted from the first application 56to the second application 58 via an inter-applet communication (IAC). Inaccordance with embodiments the first application 56 can also beintegrated in the second application 58. The second application 58 isconfigured to establish an encrypted end-to-end connection to thereading device 20. Encrypted APDUs are exchanged between the readingdevice 20 and the second application 58 via the encrypted end-to-endconnection. Here, the reading device 20 for example sends command APDUsto the second application 58, to which said second application respondswith a corresponding response APDU.

The ID token 10 also may comprise a power source (not shown), which isconfigured to supply power at least to the sensors 70, 72 and thedisplay devices 80, 82. For example, the power source can be a batteryor a device for energy harvesting. For example, piezoelectric crystals,thermoelectric generators, or the like can be used for this purpose.

The reading device 20 comprises a cryptographic circuit 24, which isconfigured to communicate contactlessly with the first microcontroller40 of the ID token 10 by means of an antenna 22. For example, thereading device 20 can be an RFID reading device. Here, the communicationbetween the reading device 20 and the ID token 10 can be performed forexample wirelessly at a frequency of 13.56 MHz in accordance withstandard ISO 14443.

The reading device 20 for example can be part of an access controlsystem, wherein a user has to switch an access control device into arelease estate by means of the ID token 10 in order to gain access. Tothis end, an attribute for example is stored in the protected memory 54of the protected second microcontroller 50, which attribute is to beread out by the reading device 20 and compared with a comparisonattribute. Only in the event of a match between the attribute read outfrom the protected memory area 54 and the comparison attribute of thereading device 20 is the access control device switched into a releasestate. In addition, identification of the user by means of a biometricfeature such as a fingerprint and/or knowledge of a PIN as accessprerequisite it is necessary. To this end the user must have hisfingerprint scanned via the fingerprint sensor 70 and/or must input aPIN via the PIN keypad 72. The measurement data sensed by the sensors70, 72 are forwarded to the first application 56 of the protected secondmicrocontroller 50 via the first microcontroller 40. The firstapplication 56 is executed by the processor 52 and compares the sensedmeasurement data with the comparison data stored in the protected memory54. The comparison result is transmitted to the second application 58from the first application 56 by an inter-applet communication and isforwarded to the reading device 20 via the encrypted end-to-endconnection. Only in the event of a positive comparison result is theaccess control device switched into a release state. In accordance withembodiments the comparison result is not communicated to the readingdevice 20, rather the second application 58 is configured in such a waythat the attribute requested by the reading device 20 is onlytransmitted to the reading device 20 on the condition that thecomparison result is positive.

FIG. 2 shows a flow diagram for a first exemplary method for operatingthe ID token 10 according to the invention from FIG. 1.

In block 200 the first microcontroller 40 by means of the antenna module30 receives a first request, directed to the second application 58 ofthe protected second microcontroller 50, to establish an encryptedend-to-end connection. The received request is temporarily stored by thefirst microcontroller 40 and the forwarding thereof is interrupted. Uponreceipt of the first request, the first microcontroller 40 sends asecond request in block 202 for the sensing of measurement data to thefingerprint sensor 70 and/or the PIN keypad 72. The user is requested,for example via the display 80, to place a finger on the fingerprintsensor 70 and/or to input a PIN via the PIN keypad 72. The correspondingmeasurement data are sensed by the sensors 70, 72 and transmitted inblock 204 to the first microcontroller 40, which forwards these data tothe first application 56 via the microcontroller communication interface59. In block 206 the first application 56 compares the capturedmeasurement data with the comparison data stored in the memory 54. Thecomparison result is transmitted in block 208 from the first application56 to the second application 58 of the protected second microcontroller50, for example by an inter-applet communication, and is thus madeavailable. The transmission can be performed directly followingcompletion of the comparison, or the first application 56 cantemporarily store the comparison results and transmit said results tothe second application 58 as required, for example in response to acorresponding request. In accordance with this method, the sensing,forwarding and processing of measurement data is thus performed alwayswhen the reading device 20 attempts to read the protected secondmicrocontroller 50, i.e. initiates establishment of a connection to thesecond application 58. This is the case regardless of whether or whichof the sensed measurement data are actually required later during thecourse of the communication between the reading device 20 and the secondapplication 58.

Once the measurement data have been forwarded by the firstmicrocontroller 40, the first request to establish the encryptedend-to-end connection is forwarded in block 210 from the firstmicrocontroller 40 to the second application 58. The firstmicrocontroller 40 is configured here as a proxy, which switches overbetween the forwarding of the first request and the forwarding ofmeasurement data and thus controls the data stream from various datasources physically separate from one another, i.e. the reading device 20and the sensors 70, 72, to the protected second microcontroller 50. Inblock 212 the encrypted end-to-end connection is established for exampleby the exchange of certificates and/or cryptographic keys between thereading device 20 and the second application 58. The connection isestablished for example in accordance with the protocol described inGerman patent application 10 2015 202 308.7. Following the establishmentof the encrypted end-to-end connection, encrypted APDUs are sent oversaid connection between the reading device 20 and the second application58. For example, an encrypted command APDU is sent in block 214 from thereading device 20 to the second application 58 and is received over itstransmission path by the first microcontroller 40 and is forwarded. Thisencrypted command APDU may request the comparison result for the sensedsensor data and/or may request an attribute, which is output onlyfollowing a positive comparison result. In block 216 a response APDU,which is generated by the second application 58 as response to thecommand APDU with use of the comparison results and which for exampleincludes the comparison results and/or a requested attribute is receivedover its transmission path by the first microcontroller 40 and isforwarded to the reading device 20.

FIG. 3 shows a flow diagram for a second exemplary method for operatingthe ID token 10 according to the invention from FIG. 1.

In block 300 the encrypted end-to-end connection is established forexample by the exchange of certificates and/or cryptographic keysbetween the reading device 20 and the second application 58. Thecommunications sent from the reading device 20 to the second application58 and responses thereto are stored temporarily and analysed here by thefirst microcontroller 40, which receives them and forwards them on.Here, certain predefined keywords or functionalities which are relatedto the measurement data of the sensors 70, 72 are sought for example.For example, a certificate is received in block 302 from the readingdevice 20 by the first microcontroller 40. The content of thiscertificate is analysed and, if it comprises a reference to themeasurement data of the sensors 70, 72, this reference is detected inblock 304. A reference of this kind for example can be an authorisationto access the corresponding measurement data. If no reference isdetected, the establishment of a connection is continued by forwardingof the analysed communication, and otherwise the forwarding is suspendedby way of precaution and the establishment of a connection is thusinterrupted in block 306. Even if the establishment of a connection iscontinued, the analysed communications remain temporarily stored on thefirst microcontroller 40 in accordance with embodiments until theestablishment of a connection is concluded. For example, the analysedcommunication is a certificate of the reading device 20.

Once the establishment of a connection has been interrupted, themeasurement data to which the analysed certificate makes reference aresensed, forwarded, processed and provided. The blocks 308 to 314relating to the sensing, forwarding, processing and providing of themeasurement data of the sensors 70, 72 are similar to the blocks 202 to208 of the method according to FIG. 2. The communication interface 59 ofthe second microcontroller 50 is thus used to transmit the measurementdata, whereas the transmission of communications in order to establishthe encrypted end-to-end connection is suspended. Measurement data ofthe fingerprint sensor 70 and/or the PIN keypad 72 are sensed dependingon the content of the reference.

Once the sensed measurement data have been forwarded by the firstmicrocontroller 40 in block 310, the suspended establishment of aconnection is continued in block 316. To this end it is necessary inaccordance with embodiments to again forward the communications hithertoforwarded from the first microcontroller 40 and still stored thereon. Inparticular, the forwarding of the analysed certificate interrupted inblock 306 is continued. Once the encrypted end-to-end connection hasbeen established, encrypted APDUs are exchanged in block 318 between thereading device 20 and the second application 58. This for examplecomprises the receiving and transmitting of command and response APDUs,similarly to the blocks 214 and 216 in FIG. 2.

FIG. 4 shows a flow diagram for a third exemplary method for operatingthe ID token 10 according to the invention from FIG. 1.

In block 400 an encrypted end-to-end connection between the readingdevice 20 and a second application 58 is established. Encrypted APDUsare transmitted to the protected second microcontroller 50 via thecontact-based microcontroller communication interface 59 thereof over afirst logical channel. A first context of the protected secondmicrocontroller 50 is assigned to the first logical channel. In block402 an encrypted command APDU sent from the reading device 20 isreceived by the first microcontroller 40. The first microcontroller 40does not have any access to the encrypted user data of the command APDU,however it does have access to the unencrypted header data thereof.These header data for example are analysed with a predefined searchform. In block 404 a reference to measurement data of the sensors 70, 72is detected, for example access to the corresponding measurement data.In block 406 the communication via the first logical channel is thenpaused. The analysed command APDU temporarily stored on the firstmicrocontroller 40 is not forwarded for the time being.

The first microcontroller 40 switches over and establishes a connectionbetween the fingerprint sensor 70 and/or the PIN keypad 72 on the onehand and the first application 56 of the protected secondmicrocontroller 50 on the other hand by requesting measurement data andtransmitting said data over a second logical channel to the protectedsecond microcontroller 50. A second context of the protected secondmicrocontroller 50 is assigned to the second logical channel. Theprotected second microcontroller 50 is configured to change between thevarious contexts depending on which logical channel is used forcommunication. In the case of the communication between themicrocontrollers 40, 50, the first microcontroller 40 acts as master,and the protected second microcontroller 50 acts as a slave. The blocks408 to 414 relating to the sensing, forwarding, processing and providingof the measurement data of the sensors 70, 72, are similar to the blocks202 to 208 of the method according to FIG. 2.

Once the sensed measurement data have been forwarded by means of thesecond logical channel in block 410, the first microcontroller 40 inblock 416 changes back to the paused first logical channel and continuesthe encrypted communication by forwarding the temporarily stored commandAPDU to the second application 58. The second application 58 responds tothe command APDU for example with a response APDU similarly to block 216in FIG. 2, which is received by the first microcontroller 40 andforwarded via the antenna 30 to the reading device 20.

List of reference signs 10 ID token 20 reading device 22 antenna 24cryptographic circuit 30 antenna module 40 first microcontroller 42first processor 44 first memory 50 second protected microcontroller 52second processor 54 second memory 56 first application 58 secondapplication 59 communication interface 60 holder 70 fingerprint sensor72 PIN keypad 80 display 82 LEDs 100 system

The invention claimed is:
 1. An identification (ID) token comprising asensor configured to sense measurement data, a communication interface,a first microcontroller, and a protected second microcontroller havingat least one microcontroller communication interface, which is arrangedin a holder of the ID token, wherein the microcontroller communicationinterface is configured to provide a data input and a data output;wherein the first microcontroller, for data exchange with themicrocontroller communication interface of the protected secondmicrocontroller, is connected to the sensor and to the communicationinterface of the ID token, and wherein the first microcontroller isconfigured to exchange data with a reading device via the communicationinterface of the ID token; wherein the protected second microcontrollercomprises a first and a second application; wherein the firstapplication is configured to compare the measurement data of the sensorwith comparison data stored in a memory of the second microcontrollerand forward the comparison result to the second application; wherein thesecond application is configured to establish a connection to thereading device in the form of an encrypted end-to-end connection andoutputs specified data by a read command of the reading device via theencrypted end-to-end connection, wherein encrypted Application ProtocolData Units (APDUs) are transmitted via the encrypted end-to-endconnection; wherein the first microcontroller is configured as a proxyfor switching between (1) the sensing of the measurement data by thesensor and forwarding of the sensed measurement data from the sensor tothe first application of the protected second microcontroller using themicrocontroller communication interface of the second microcontrollerand (2) forwarding of notifications for establishing a connectionbetween the second application and the reading device or forwarding ofAPDUs using the communication interface of the ID token; wherein theprotected second microcontroller is further configured to provide aplurality of logical channels for data exchange via the microcontrollercommunication interface, wherein the communication via the encryptedend-to-end connection is performed over a first logical channel of thesecond microcontroller, and wherein the first microcontroller is furtherconfigured to: receive and temporarily store an encrypted ApplicationProtocol Data Unit (APDU), wherein the APDU is sent via the encryptedend-to-end connection from the reading device to the second applicationand contains unencrypted header data and encrypted user data, andanalyze the header data; send to the sensor a request to sense themeasurement data, in response to the header data comprising a referenceto measurement data sensed by the sensor; receive, upon receipt of therequest to sense the measurement data, the sensed measurement data fromthe sensor and forward the measurement data to the first applicationover a second logical channel of the second microcontroller, and forwardthe temporarily stored encrypted APDU to the second application over thefirst logical channel.
 2. The ID token according to claim 1, wherein theat least one microcontroller communication interface of the protectedsecond microcontroller is a contact-based communication interface. 3.The ID token according to claim 1, wherein the protected secondmicrocontroller comprises a single microcontroller communicationinterface.
 4. The ID token according to claim 1, wherein the firstmicrocontroller is further configured to exchange data contactlesslywith a reading device via the communication interface of the ID token.5. The ID token according to claim 1, wherein the first microcontrolleris further configured to exchange data in a contact-based manner withthe reading device via the communication interface of the ID token. 6.The ID token according to claim 1, wherein the second applicationcomprises the first application.
 7. The ID token according to claim 1,wherein the measurement data comprises one or more of the following:biometric features, a PIN, acceleration data, GPS coordinates andtemperature data, or any combinations thereof.
 8. The ID token accordingto claim 1, wherein the ID token comprises a plurality of differentsensors configured to sense a plurality of different items ofmeasurement data, and the first microcontroller is connected to theplurality of different sensors for data exchange, wherein the firstapplication is further configured to compare the measurement data ofeach sensor from the plurality of different sensors with comparison datastored in a memory of the second microcontroller and to forwardcomparison results generated from comparing the measurement data to thesecond application.
 9. The ID token according to claim 1, wherein thefirst microcontroller is further configured as a master and theprotected second microcontroller is further configured as a slave. 10.The ID token according to claim 1, wherein the second microcontroller isphysically protected by one or more of the following elements: a clockfrequency sensor, a temperature sensor, a voltage sensor, and a lightsensor, or any combinations thereof.
 11. The ID token according to claim1, wherein the second microcontroller is cryptographically protected byone or more of the following elements: a random number generator, agenerator for cryptographic keys, a hash generator, an encryption anddecryption module, a signature module, one or more certificates and oneor more non-migratable or cryptographic keys, or any combinationsthereof.
 12. The ID token according to claim 1, wherein themicrocontroller communication interface of the protected secondmicrocontroller is hard-wired to the first microcontroller.
 13. The IDtoken according to claim 1, wherein the protected second microcontrolleris further configured as an exchangeable module and the holder of the IDtoken is configured as a plug-in connection for the exchangeable module.14. The ID token according to claim 1, wherein the ID token furtherincludes an output device to which the first microcontroller isconnected for data exchange.
 15. A system which comprises: anidentification (ID) token; and a reading device having a reading devicecommunication interface configured for data exchange with acommunication interface of the ID token; wherein the ID token comprises:a sensor configured to sense measurement data, the communicationinterface, a first microcontroller, and a protected secondmicrocontroller having at least one microcontroller communicationinterface, which is arranged in a holder of the ID token, wherein themicrocontroller communication interface is configured to provide a datainput and a data output; wherein the first microcontroller, for dataexchange with the microcontroller communication interface of theprotected second microcontroller, is connected to the sensor and to thecommunication interface of the ID token, and wherein the firstmicrocontroller is configured to exchange data with a reading device viathe communication interface of the ID token; wherein the protectedsecond microcontroller comprises a first and a second application;wherein the first application is configured to compare the measurementdata of the sensor with comparison data stored in a memory of the secondmicrocontroller and forward the comparison result to the secondapplication; wherein the second application is configured to establish aconnection to the reading device in the form of an encrypted end-to-endconnection and output specified data by a read command of the readingdevice via the encrypted end-to-end connection, wherein encryptedApplication Protocol Data Units (APDUs) are transmitted via theencrypted end-to-end connection; wherein the first microcontroller is aproxy for switching between (1) the sensing of the measurement data bythe sensor and forwarding of the sensed measurement data from the sensorto the first application of the protected second microcontroller usingthe microcontroller communication interface of the secondmicrocontroller and (2) forwarding of notifications for establishing aconnection between the second application and the reading device orforwarding of Application Protocol Data Units (APDUs) using thecommunication interface of the ID token; wherein the protected secondmicrocontroller is further configured to provide a plurality of logicalchannels for data exchange via the microcontroller communicationinterface, wherein the communication via the encrypted end-to-endconnection is performed over a first logical channel of the secondmicrocontroller, and wherein the first microcontroller is furtherconfigured to: receive and temporarily store an encrypted ApplicationProtocol Data Unit (APDU), wherein the APDU is sent via the encryptedend-to-end connection from the reading device to the second applicationand contains unencrypted header data and encrypted user data, andanalyze the header data; send to the sensor a request to sense themeasurement data, in response to the header data comprising a referenceto measurement data sensed by the sensor; receive, upon receipt of therequest to sense the measurement data, the sensed measurement data fromthe sensor and forward the measurement data to the first applicationover a second logical channel of the second microcontroller, and forwardthe temporarily stored encrypted APDU to the second application over thefirst logical channel.
 16. An identification (ID) token comprising asensor configured to sense measurement data, a communication interface,a first microcontroller, and a protected second microcontroller havingat least one microcontroller communication interface, which is arrangedin a holder of the ID token, wherein the microcontroller communicationinterface is configured to provide a data input and a data output;wherein the first microcontroller, for data exchange with themicrocontroller communication interface of the protected secondmicrocontroller, is connected to the sensor and to the communicationinterface of the ID token, and wherein the first microcontroller isconfigured to exchange data with a reading device via the communicationinterface of the ID token; wherein the protected second microcontrollercomprises a first and a second application; wherein the firstapplication is configured to compare the measurement data of the sensorwith comparison data stored in a memory of the second microcontrollerand forward the comparison result to the second application; wherein thesecond application is configured to establish a connection to thereading device and output specified data by a read command of thereading device; wherein the first microcontroller is configured as aproxy for switching between (1) the sensing of the measurement data bythe sensor and forwarding of the sensed measurement data from the sensorto the first application of the protected second microcontroller usingthe microcontroller communication interface of the secondmicrocontroller and (2) forwarding of notifications for establishing aconnection between the second application and the reading device orforwarding of Application Protocol Data Units (APDUs) using thecommunication interface of the ID token; wherein the firstmicrocontroller is further configured to: receive an unencryptedcommunication sent from the reading device to the second applicationduring the course of establishing an encrypted end-to-end connection,wherein said unencrypted communication is temporarily stored andanalyzed; in response to the unencrypted communication including areference to measurement data sensed by the sensor, the firstmicrocontroller is further configured to send a request to sense themeasurement data to the sensor; upon receipt of the request, receive thesensed measurement data from the sensor and forward the measurement datato the first application; and forward the temporarily stored unencryptedcommunication to the second application, wherein the unencryptedcommunication is a certificate which authorizes the reading device tocheck the measurement data sensed by the sensor using the firstapplication.
 17. The ID token according to claim 16, wherein the secondapplication is configured to establish the connection to the readingdevice in the form of an encrypted end-to-end connection and output thespecified data by the read command of the reading device via theencrypted end-to-end connection, wherein encrypted APDUs are transmittedvia the encrypted end-to-end connection.
 18. The ID token according toclaim 16, wherein the first microcontroller is further configured to:receive all communications sent from the reading device to the secondapplication during the course of the establishment of the encryptedend-to-end connection, and temporarily store and forward thecommunications, wherein, once the measurement data has been forwarded,all temporarily stored communications are forwarded again to the secondapplication.
 19. A system which comprises: an identification (ID) token;and a reading device having a reading device communication interfaceconfigured for data exchange with a communication interface of the IDtoken; wherein the ID token comprises: a sensor configured to sensemeasurement data, the communication interface, a first microcontroller,and a protected second microcontroller having at least onemicrocontroller communication interface, which is arranged in a holderof the ID token, wherein the microcontroller communication interface isconfigured to provide a data input and a data output; wherein the firstmicrocontroller, for data exchange with the microcontrollercommunication interface of the protected second microcontroller, isconnected to the sensor and to the communication interface of the IDtoken, and wherein the first microcontroller is configured to exchangedata with a reading device via the communication interface of the IDtoken; wherein the protected second microcontroller comprises a firstand a second application; wherein the first application is configured tocompare the measurement data of the sensor with comparison data storedin a memory of the second microcontroller and forwards the comparisonresult to the second application; wherein the second application isconfigured to establish a connection to the reading device and outputswherein the second application is configured to establish a connectionto the reading device and output specified data by a read command of thereading device; wherein the first microcontroller is configured as aproxy for switching between (1) the sensing of the measurement data bythe sensor and forwarding of the sensed measurement data from the sensorto the first application of the protected second microcontroller usingthe microcontroller communication interface of the secondmicrocontroller and (2) forwarding of notifications for establishing aconnection between the second application and the reading device orforwarding of Application Protocol Data Units (APDUs) using thecommunication interface of the ID token; wherein the firstmicrocontroller is further configured to: receive an unencryptedcommunication sent from the reading device to the second applicationduring the course of establishing an encrypted end-to-end connection,wherein said unencrypted communication is temporarily stored andanalyzed; in response to the unencrypted communication including areference to measurement data sensed by the sensor, the firstmicrocontroller is further configured to  send a request to sense themeasurement data to the sensor;  upon receipt of the request, receivethe sensed measurement data from the sensor and forward the measurementdata to the first application; and  forward the temporarily storedunencrypted communication to the second application, wherein theunencrypted communication is a certificate which authorizes the readingdevice to check the measurement data sensed by the sensor using thefirst application.
 20. The system according to claim 19, wherein thesecond application is configured to establish the connection to thereading device in the form of an encrypted end-to-end connection andoutput the specified data by the read command of the reading device viathe encrypted end-to-end connection, wherein encrypted APDUs aretransmitted via the encrypted end-to-end connection.